Solve : ConFicker Worm?

1.	Solve : ConFicker Worm?
Answer» I know you never did, just seems dumb that people are proclaiming it as undetectable just because a patch came out after the WORM, which doesn't preclude detection by any means. In fact, even rootkits are fairly simple to detect. a rootkit usually patches certain windows functions, such as FindFirstFile,FindNextFile, CreateFile, etc. to make sure that the functions never find the malware folders and files. However, this is a very trivial thing to check- simply use the GetProcAddress() API to retrieve the API addresses and compare them to the imported Function addresses; if they are different- then we have an issue. Of course malware could hook GetProcAddress() as well to force them to return the same value as the value they likely soft-patched into the program when it started with a malware appinit_DLL. The answer to this would be to invoke a Callback-accepting API function that would likely be patched, such as EnumWindows or EnumprocessModules. (which would be patched to prevent displaying the malware windows and processes). by carefully double-popping the return addresses one can determine wether the call stack really started with program->EnumprocessModules->Callback routine. In most cases of malware, it would likely actually be program->Malware masker function->EnumprocessModules->Callback. By analyzing and popping stack frames we can go all the way back to the calling function and try to VALIDATE each function in between. Of course one would then try to restore the stack frame to the way it was... perhaps even using the address of the malware function to grab the Module filename and displaying that as the rootkit.Conficker Botnet Stirs, with a Scareware Business Model ZDNet Blogs, April 10, 2009 The Conficker botnet has stirred to life, using its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines. The Conficker update comes a week after a heavily-hyped April 1st activation date and provides the first sign of the motivation behind this malware threat — financially motivated cybercrime. found this to-night , harryno wonder i can't access microsoft website lately. for those infected also, you probably can't download any fix since the virus blocking access to microsoft website and antivirus website, such as symantec, sophos, avg, etc. then i google out and found a fix here: http://depts.drew.edu/cns/FixDownadup.exe version 1.0.5 download, then double click the file, oops, the virus auto-kill the FixDownadup.exe Process. rename the file so it doesn't contain the string "FixDownadup", renaming it to FixDownadupx.exe won't work, rename to something else like "x.exe" then double-click again, and click start to scan. scanning in process.... hopefully it work Edit: Quote Scan Result: W32.Downadup has not been found on your computer anyone with suggestion?use process explorer, DLL view, copy down malicious dll names (usually random or COMMON system file names in the wrong location). drop to recovery console. erase them. reboot. run hijackthis, remove entries. This is what I usually do, if MBAM/hijackthis and combofix don't work. The TROUBLE is you have to get ALL of them- or else the survivors just revive the deleted ones.Not sure if its heading tword us or not last I heard it was in salt lake city. The bad thing is that the hardware tech at a school quite sortly after this.err- what the heck are you on about? viruses don't exactly take the bus...seems like the virus also block procexp.exe, so as usual rename the exe to something else. then i kill process "svchost.exe -k networkservice", and now i can browse to microsoft website and antivirus websites. there is a few dll's attach to it, and all of them looks valid. now searching for removal tools. UPDATE: i download w32.downadup removal from symantec: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe virus gone now tomorrow have to check computers on LAN wheter also infected or not. hmm, i wonder which one of the dll is the virus?

Answer»

I know you never did, just seems dumb that people are proclaiming it as undetectable just because a patch came out after the WORM, which doesn't preclude detection by any means. In fact, even rootkits are fairly simple to detect.

a rootkit usually patches certain windows functions, such as FindFirstFile,FindNextFile, CreateFile, etc. to make sure that the functions never find the malware folders and files.

However, this is a very trivial thing to check- simply use the GetProcAddress() API to retrieve the API addresses and compare them to the imported Function addresses; if they are different- then we have an issue.

Of course malware could hook GetProcAddress() as well to force them to return the same value as the value they likely soft-patched into the program when it started with a malware appinit_DLL. The answer to this would be to invoke a Callback-accepting API function that would likely be patched, such as EnumWindows or EnumprocessModules. (which would be patched to prevent displaying the malware windows and processes). by carefully double-popping the return addresses one can determine wether the call stack really started with program->EnumprocessModules->Callback routine. In most cases of malware, it would likely actually be program->Malware masker function->EnumprocessModules->Callback. By analyzing and popping stack frames we can go all the way back to the calling function and try to VALIDATE each function in between.

Of course one would then try to restore the stack frame to the way it was... perhaps even using the address of the malware function to grab the Module filename and displaying that as the rootkit.Conficker Botnet Stirs, with a Scareware Business Model

ZDNet Blogs, April 10, 2009
The Conficker botnet has stirred to life, using its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines. The Conficker update comes a week after a heavily-hyped April 1st activation date and provides the first sign of the motivation behind this malware threat — financially motivated cybercrime.

found this to-night , harryno wonder i can't access microsoft website lately.

for those infected also, you probably can't download any fix since the virus blocking access to microsoft website and antivirus website, such as symantec, sophos, avg, etc.
then i google out and found a fix here:
http://depts.drew.edu/cns/FixDownadup.exe
version 1.0.5

download, then double click the file, oops, the virus auto-kill the FixDownadup.exe Process. rename the file so it doesn't contain the string "FixDownadup", renaming it to FixDownadupx.exe won't work, rename to something else like "x.exe" then double-click again, and click start to scan.

scanning in process.... hopefully it work

Edit:
Quote

Scan Result:
W32.Downadup has not been found on your computer

anyone with suggestion?use process explorer, DLL view, copy down malicious dll names (usually random or COMMON system file names in the wrong location). drop to recovery console. erase them. reboot. run hijackthis, remove entries.

This is what I usually do, if MBAM/hijackthis and combofix don't work. The TROUBLE is you have to get ALL of them- or else the survivors just revive the deleted ones.Not sure if its heading tword us or not last I heard it was in salt lake city. The bad thing is that the hardware tech at a school quite sortly after this.err- what the heck are you on about? viruses don't exactly take the bus...seems like the virus also block procexp.exe, so as usual rename the exe to something else.

then i kill process "svchost.exe -k networkservice", and now i can browse to microsoft website and antivirus websites. there is a few dll's attach to it, and all of them looks valid.

now searching for removal tools.

UPDATE:
i download w32.downadup removal from symantec:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

virus gone now
tomorrow have to check computers on LAN wheter also infected or not.

hmm, i wonder which one of the dll is the virus?

Solve : ConFicker Worm?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment